1. Field of the Invention
The embodiments of the invention relate to a method and apparatus for in-band processing of data traffic. Specifically, embodiments of the invention related to a method and apparatus for in-band decryption and analysis of data traffic without terminating a session between two endpoints.
2. Background
Encrypted communication is in common use over networks and the Internet to protect sensitive data from being intercepted and misappropriated. An encrypted communication session is established through an initial key exchange protocol such as the Internet Key Exchange (IKE) protocol used by the Internet Protocol Security (IPSec) protocol. This process takes place between the two endpoints or termination points of the communication session in order to determine a set of keys that will be known only to the two endpoints that can be used for encryption of data traffic between the two endpoints. Other security protocols that are in common use include the point to point tunneling protocol (PPTP), secure socket layers (SSL), transport layer security (TLS) and similar protocols. These protocols may utilized or paired with encryption protocols such as the Diffie-Helman algorithm, Rivest, Shamir, Adleman (RSA) or similar encryption protocols some of which may utilize perfect forward secrecy (PFS).
These communication sessions often take the form of virtual private network (VPN) connections, session initiation protocol (SIP) based sessions and similar sessions. These communications sessions allow a remote computer to communicate with a server securely. Multiple encrypted communication sessions may be setup simultaneously, each between a remote client computer and a server. However, this places a high load upon the server, because it becomes responsible for handling all of the encrypted communication services including the decryption of the data traffic. Many VPN client software programs require that the VPN clients be terminated at the server and client computers and not at a third device. This configuration does not permit the load to be dynamically distributed to other servers, because the other servers are not able to decrypt the data traffic to process it. Instead a client must make a direct connection to another server to divide the load. This makes the management of the load across a set of servers inefficient.